Recently we added some fixes here to skip check forallowedHost, please add it here

It seems not that straightforward. To me bigger effort is needed to incorporate changes from03d1214. This PR uses functions defined in previous commits not available in line 4.

If it's not a problem, I would consider merging this PR and creating separate PR for task you mentioned.

@kretajak let's include03d1214 here, otherwise in some cases it will be impossible to setup a new version and we can merge

@kretajak let me know if you need help backporting that commit. I could try to add it on top of your existing PR if you don't have time to. We have at least 3 Docusaurus issues asking us to solve this security warning so happy to help and get this solved asap.

I'm currently trying to backport that commit. I'll inform you whether I was able to make it.

I have added new commit which should move us a bit closer. Seems like also changes from6045b1e might be required as they are tightly connected to03d1214.

@slorber feel free to continue the work.

I believe there is a bug in version 5 ofweboack-dev-server.false is returned there, but my guess is that whenvalidateHost isfalse we should bypass checking and returntrue here.

Above function when called:isValidHost({ host: '127.0.0.1 }, 'host', validateHost = false) returnfalse while it should returntrue. I assume that is the reason so many tests of6045b1e were changed.

@kretajak it is not a bug, because 127.0.0.1 can be used for attack, you should manually set127.0.0.1 inallowedHosts for CORS requests, i.e. you openedbad-site.com, this this site can try to connect tows://localhost:3000 and without such headers non chromium and old chromium browsers will connect to your websockets and can take your source code (in some cases)

Okey. I reverted it tofalse.